---
layout: "docs"
page_title: "Commands: ACL Policy Management"
sidebar_current: "docs-commands-acl-policy"
---

# Consul ACL Policies

Command: `consul acl policy`

The `acl policy` command is used to manage Consul's ACL policies. There are
subcommands for the individual operations that can be performed.

* [`create`](#create)
* [`read`](#read)
* [`update`](#update)
* [`delete`](#delete)
* [`list`](#list)

ACL policies are also accessible via the [HTTP API](/api/acl/acl.html).

Usage: `consul acl policy <subcommand> [options] [args]`

-> **Note:** All of the examples show for the subcommands will require a valid Consul token with the appropriate permissions.
Either set the `CONSUL_HTTP_TOKEN` environment variable to the tokens secret ID or pass the secret ID as the value of the `-token`
parameter.

## Identitying Polices

In several of the subcommands a policy will have to be identified to be read, modified or deleted. Those subcommands support
specifying the policy by its ID using the `-id` parameter or by name using the `-name` parameter. When specifying the policy
by its ID a unique policy ID prefix may be specified instead of the entire UUID. As long as it is unique it will be resolved
to the full UUID and used. Additionally builtin policy names will be accepted as the value to the `-id` parameter. Even if
the builtin policies are renamed their original name can be used to operate on them.

Builtin Policies:

| Policy UUID                          | Policy Name       |
| ------------------------------------ | ----------------- |
| 00000000-0000-0000-0000-000000000001 | global-management |

## Common Subcommand Options

All of the `consul acl policy` subcommands support the following options:

<%= partial "docs/commands/http_api_options_client" %>
<%= partial "docs/commands/http_api_options_server" %>

## `create`

Command: `consul acl policy create`

This command creates new policies. The policies rules can either be set explicitly or the
`-from-token` parameter may be used to load the rules from a legacy ACL token. When loading
the rules from an existing legacy ACL token, the rules get translated from the legacy syntax
to the new syntax.

Both the `-rules` and `-from-token` parameter values allow loading the value
from stdin, a file or the raw value. To use stdin pass `-` as the value.
To load the value from a file prefix the value with an `@`. Any other
values will be used directly.

-> **Deprecated:** The `-from-token` and `-token-secret` arguments exist only as a convenience
to make legacy ACL migration easier. These will be removed in a future major release when
support for the legacy ACL system is removed.

### Usage

Usage: `consul acl policy create [options] [args]`

#### Options

* [Common Subcommand Options](#common-subcommand-options)

* `-description=<string>` - A description of the policy.

* `-from-token=<string>` - The legacy token to retrieve the rules for when creating this
   policy. When this is specified no other rules should be given.
   Similar to the -rules option the token to use can be loaded from
   stdin or from a file.

* `-meta` - Indicates that policy metadata such as the content hash and raft
   indices should be shown for each entry.

* `-name=<string>` - The new policy's name. This flag is required.

* `-rules=<string>` - The policy rules. May be prefixed with '@' to indicate that the
   value is a file path to load the rules from. '-' may also be given
   to indicate that the rules are available on stdin.

* `-token-secret` - Indicates the token provided with -from-token is a SecretID and not
   an AccessorID.

* `-valid-datacenter=<value>` - Datacenter that the policy should be valid within.
   This flag may be specified multiple times.


### Examples

Create a new policy that is valid in all datacenters:

```sh
$ consul acl policy create -name "acl-replication" -description "Policy capable of replicating ACL policies" -rules 'acl = "read"'
ID:           35b8ecb0-707c-ee18-2002-81b238b54b38
Name:         acl-replication
Description:  Policy capable of replicating ACL policies
Datacenters:
Rules:
acl = "read"
```

Create a new policy valid only in specific datacenters with rules read from a file:

```sh
$ consul acl policy create -name "replication" -description "Replication" -rules @rules.hcl -valid-datacenter dc1 -valid-datacenter dc2
ID:           ca44555b-a2d8-94de-d763-88caffdaf11f
Name:         replication
Description:  Replication
Datacenters:  dc1, dc2
Rules:
acl = "read"
service_prefix "" {
   policy = "read"
   intentions = "read"
}
```

Create a new policy with rules equivalent to that of a legacy ACL token:

```sh
$ consul acl policy create -name "node-services-read" -from-token 5793a5ce -description "Can read any node and service"
ID:           06acc965-df4b-5a99-58cb-3250930c6324
Name:         node-services-read
Description:  Can read any node and service
Datacenters:
Rules:
service_prefix "" {
  policy = "read"
}

node_prefix "" {
  policy = "read"
}

```

## `read`

Command: `consul acl policy read`

This command reads and displays a policies details.

### Usage

Usage: `consul acl policy read [options] [args]`

#### Options

* [Common Subcommand Options](#common-subcommand-options)

* `-id=<string>` - The ID of the policy to read. It may be specified as a unique ID
   prefix but will error if the prefix matches multiple policy IDs.

* `-meta` - Indicates that policy metadata such as the content hash and raft
  indices should be shown for each entry.

* `-name=<string>` - The name of the policy to read.

### Examples

Get policy details:

```sh
$ consul acl policy read -id 00000000-0000-0000-0000-000000000001
ID:           00000000-0000-0000-0000-000000000001
Name:         global-management
Description:  Builtin Policy that grants unlimited access
Datacenters:
Rules:

acl = "write"
agent_prefix "" {
   policy = "write"
}
event_prefix "" {
   policy = "write"
}
key_prefix "" {
   policy = "write"
}
keyring = "write"
node_prefix "" {
   policy = "write"
}
operator = "write"
query_prefix "" {
   policy = "write"
}
service_prefix "" {
   policy = "write"
   intentions = "write"
}
session_prefix "" {
   policy = "write"
}
```

Get policy details by name:

```sh
$ consul acl policy read -name "acl-replication"
ID:           35b8ecb0-707c-ee18-2002-81b238b54b38
Name:         acl-replication
Description:  Token capable of replicating ACL policies
Datacenters:
Rules:
acl = "read"
```

Get policy details (Builtin Policies):

Builtin policies can be accessed by specifying their original name as the value to the `-id` parameter.

```sh
$ consul acl policy read -id global-management
ID:           00000000-0000-0000-0000-000000000001
Name:         global-management
Description:  Builtin Policy that grants unlimited access
Datacenters:
Hash:         b30210b7aba9facd1c57891e3df27669174a08b690cb2905e0797535f75eba69
Create Index: 4
Modify Index: 4
Rules:

acl = "write"
agent_prefix "" {
   policy = "write"
}
event_prefix "" {
   policy = "write"
}
key_prefix "" {
   policy = "write"
}
keyring = "write"
node_prefix "" {
   policy = "write"
}
operator = "write"
query_prefix "" {
   policy = "write"
}
service_prefix "" {
   policy = "write"
   intentions = "write"
}
session_prefix "" {
   policy = "write"
}
```

## `update`

Command: `consul acl policy update`

This command is used to update a policy. The default operations is to merge the current policy
with those values provided to the command invocation. Therefore to update just one field, only
the `-id` or `-name` options and the option to modify must be provided. Note that renaming
policies requires both the `-id` and `-name` as the new name cannot yet be used to lookup the
policy.

### Usage

Usage: `consul acl policy update [options] [args]`

#### Options

* [Common Subcommand Options](#common-subcommand-options)

* `-description=<string>` - A description of the policy.

* `-id=<string>` - The ID of the policy to update. It may be specified as a
   unique ID prefix but will error if the prefix matches multiple policy IDs

* `-meta` - Indicates that policy metadata such as the content hash and raft
  indices should be shown for each entry

* `-name=<string>` - The policies name.

* `-no-merge` - Do not merge the current policy information with what is provided
   to the command. Instead overwrite all fields with the exception of
   the policy ID which is immutable.

* `-rules=<string>` - The policy rules. May be prefixed with `@` to indicate that
   the value is a file path to load the rules from. `-` may also be given to
   indicate that the rules are available on stdin.

* `-valid-datacenter=<value>` - Datacenter that the policy should be valid within.
   This flag may be specified multiple times.

### Examples

Update a policy:

```sh
$ consul acl policy update -id 35b8 -name "replication" -description "Policy capable of replication ACL policies and Intentions" -rules @rules.hcl
Policy updated successfully
ID:           35b8ecb0-707c-ee18-2002-81b238b54b38
Name:         replication
Description:  Policy capable of replication ACL policies and Intentions
Datacenters:
Rules:
acl = "read"

service_prefix "" {
   policy = "read"
   intentions = "read"
}
```

Rename a policy:

```sh
$ consul acl policy update -id 35b8 -name "dc1-replication"
Policy updated successfully
ID:           35b8ecb0-707c-ee18-2002-81b238b54b38
Name:         dc1-replication
Description:  Policy capable of replication ACL policies and Intentions
Datacenters:  dc1
Rules:
acl = "read"

service_prefix "" {
   policy = "read"
   intentions = "read"
}

```

## `delete`

Command: `consul acl policy delete`

This command deletes a policy. Policies may be deleted by their ID or by name.

### Usage

Usage: `consul acl policy delete [options]`

#### Options

* [Common Subcommand Options](#common-subcommand-options)

* `-id=<string>` - The ID of the policy to delete. It may be specified as a
   unique ID prefix but will error if the prefix matches multiple policy IDs.

* `-name=<string>` - The Name of the policy to delete.

### Examples

Delete a policy:

```sh
$ consul acl policy delete -id 35b8
Policy "35b8ecb0-707c-ee18-2002-81b238b54b38" deleted successfully
```

Delete a policy by name:

```sh
$ consul acl policy delete -name acl-replication
Policy "35b8ecb0-707c-ee18-2002-81b238b54b38" deleted successfully
```

## `list`

Command: `consul acl policy list`

This command lists all policies. By default it will not show metadata.

### Usage

Usage: `consul acl policy list`

#### Options

* [Common Subcommand Options](#common-subcommand-options)

* `-meta` - Indicates that policy metadata such as the content hash and
   Raft indices should be shown for each entry.

### Examples

Default listing.

```sh
$ consul acl policy list
global-management:
   ID:           00000000-0000-0000-0000-000000000001
   Description:  Builtin Policy that grants unlimited access
   Datacenters:
acl-replication:
   ID:           35b8ecb0-707c-ee18-2002-81b238b54b38
   Description:  Policy capable of replicating ACL policies
   Datacenters:
```

Show Metadata.

```sh
$ consul acl policy list -meta
global-management:
   ID:           00000000-0000-0000-0000-000000000001
   Description:  Builtin Policy that grants unlimited access
   Datacenters:
   Hash:         b30210b7aba9facd1c57891e3df27669174a08b690cb2905e0797535f75eba69
   Create Index: 4
   Modify Index: 4
node-services-read:
   ID:           06acc965-df4b-5a99-58cb-3250930c6324
   Description:  Can read any node and service
   Datacenters:
   Hash:         19d2a73dcd315506af73bfff1492779a0dc0235066fcac07f432fb2cc3402133
   Create Index: 244
   Modify Index: 244
acl-replication:
   ID:           ca44555b-a2d8-94de-d763-88caffdaf11f
   Description:  Token capable of replicating ACL policies
   Datacenters:  dc1, dc2
   Hash:         b94669679cc24e0d064412e4aa90b470b7f900a8e0801f65feaf1f7d716a5390
   Create Index: 198
   Modify Index: 198
```
